Acecard Android Trojan Raises Serious Concerns

The re-emergence of the mobile banking Trojan known as Acecard, which is now threatening a broader range of targets worldwide, highlights the growing risks associated with Android devices and the need for banks and mobile app developers to do more to protect users' accounts.

Acecard, which emerged in February 2014, has evolved to become one of the most dangerous banking Trojans, according to researchers at Kaspersky Lab.

In a new blog, Kaspersky Lab researcher Roman Unuchek says researchers determined that Acecard, which had disappeared for several months in 2014, re-emerged in mid-2015 with enhanced features. The most recent version of Acecard is now targeting a number of mobile applications, including nine social media apps, which are targeted for passwords, and nearly 50 financial apps, which include mobile payments and mobile banking.

"Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much larger," he adds.

The Trojan has the ability to intercept and steal SMS/text messages sent from banks to users and can overlay mobile app windows with phishing messages designed to entice users to click on links that infect their devices, Unuchek notes.

And while the early Acecard attacks primarily targeted users in Russia, attacks are now hitting users in Australia, Germany, France and even the U.S., Kaspersky Lab finds.

"Early October saw the emergence of a new modification that attacked the banking apps of the three largest U.S. banks," Unuchek writes. "December 2015 saw a dramatic rise in the number of attacks on U.S. users. In that month, the U.S. came in third, in terms of the number of unique users attacked by this malware."

Tom Kellermann, CEO of security firm Strategic Cyber Ventures, describes Acecard as "elegant and dangerous," and says its continued evolution should get the security industry's attention.

"We are not making too much fuss," he says. "What people fail to understand is that these Trojans not only steal your funds, but they can also hack your reality via allowing the adversary to virtually invade your physical environs via activation of microphone and video settings. Acecard is one of the forefathers of a long line of Android Trojans that are being manufactured in the Chinese and Russian undergrounds."

"Acecard is an advanced Trojan that's part of the pattern we're starting to get used to now of ever more diverse and feature-rich financial malware," he says. "While it's cause for concern, the fact that we as an industry haven't been able to interrupt that pattern is cause for more concern."

Wills argues that the "systemic security weaknesses" that have allowed Trojans, including Acecard, to emerge are the same weaknesses that allowed the banking keylogger Zeus to compromise PC users seven to eight years ago. Clearly, the industry still isn't doing enough to shore up user security, he contends.

"User susceptibility to social engineering, insecure authentication, weak security in application design and development, and inadequate app store security - especially in the Android world," are all to blame, Wills says. "Banks and vendors have made improvements in all of these controls individually, but, as we can see, in total they're not nearly enough to put a halt to the problem."

William Hugh Murray, an information security expert and management consultant, says banks have a responsibility to monitor accounts for anomalous mobile-banking activity, and mobile app developers need to be aware of how their apps could be targeted.

"Developers of banking apps for Android should understand how this software may contaminate their product, and how to detect and resist such contamination," Murray says. "Banks should confirm all banking transactions to the user through out-of-band [verification], so that the user can recognize and report fraudulent activity on a timely basis. This is essential to banking, online or otherwise, mobile or otherwise, Android or otherwise."

Unuchek, in an emailed response to Information Security Media Group, says an efficient fight against mobile cybercrime requires efforts from different sides. "Customers should not forget about risks that mobile malware brings; the security community should share as much data about new threats as possible; and financial institutions should pay more attention to educating and protecting its customers, " he says. "It is not only about limiting the app options. It is about the overall approach to security: Google brings users more freedom in terms of where they get apps for their Android devices, but the down side of this approach is that the level of freedom is available for criminals as well. Using Apple Device you would be able to legally download apps only from the app store, and that would cut a lot of risks, but would cut the freedom of choice as well. Android users in this situation should be more cautious about what they are installing on their devices and where they get it from."

Acecard's Evolution and Advances

In his blog about Acecard's evolution, Unuchek notes that dramatic advances in the Trojan's attack features and functionalities were first identified during the summer and fall of 2015 as a result of research for the firm's IT Threat Evolution report for Q3 2015. An unexplained uptick in mobile banking Trojan attacks waged against Australian Android users spurred Kaspersky Lab's research team to dig further and ultimately led it to Acecard, Unuchek says.

"We discovered that Australia had become the leading country, in terms of number of users attacked by mobile banker Trojans," he writes. "We decided to find out what was behind this jump in activity and managed to identify the cause: Trojan-Banker.AndroidOS.Acecard. This family accounted for almost all the banker Trojan attacks in Australia."

In late August 2014, Unuchek says the second generation of Acecard was found to be using the TOR network for command-and-control communications - which ultimately works to keep the communications anonymous. From there, the Trojan's number of commands increased, and phishing windows used to overlay apps such as the Google Play Store, Facebook, Instagram and Skype also were deployed.

He links Acecard to other Android Trojans. "The modifications of Acecard were written by the same cybercriminals who earlier created Backdoor.AndroidOS.Torec.a, the first TOR Trojan for Android, as well as Trojan-Ransom.AndroidOS.Pletor.a, the first encryptor for mobile devices," Unuchek writes. "All three Trojans run on Android."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;